disa.mil servers are timing out on me over IPv6: $ dig IN NS gcds.disa.mil. @DNS1.DISA.MIL. ;; communications error to 2608:125:0:1811:1001:9012:f00:20#53: timed out ;; communications error to 2608:125:0:1811:1001:9012:f00:20#53: timed out ;; communications error to 2608:125:0:1811:1001:9012:f00:20#53: timed out
; <<>> DiG 9.21.3-1+0~20241211.133+debian12~1.gbp5b5fe5-Debian <<>> IN NS gcds.disa.mil. @DNS1.DISA.MIL. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55426 ;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 7 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;gcds.disa.mil. IN NS ;; ANSWER SECTION: gcds.disa.mil. 12699 IN NS dns1.disa.mil. gcds.disa.mil. 12699 IN NS dns3.disa.mil. gcds.disa.mil. 12699 IN NS dns5.disa.mil. gcds.disa.mil. 12699 IN NS dns2.disa.mil. gcds.disa.mil. 12699 IN NS dns4.disa.mil. ;; ADDITIONAL SECTION: dns1.disa.mil. 7151 IN AAAA 2608:125:0:1811:1001:9012:f00:20 dns2.disa.mil. 7151 IN AAAA 2608:102:0:182d:1001:9012:c00:20 dns3.disa.mil. 7151 IN AAAA 2608:145:0:180b:1001:9012:d00:20 dns4.disa.mil. 6608 IN AAAA 2608:c182:0:1012:1001:9012:1400:20 dns4.disa.mil. 6608 IN AAAA 2608:c182::1001:9012:1600:20 dns5.disa.mil. 7151 IN AAAA 2608:4122:0:1012:1001:9012:1400:20 ;; Query time: 252 msec ;; SERVER: 152.229.110.232#53(DNS1.DISA.MIL.) (UDP) ;; WHEN: Tue Dec 17 21:09:53 CET 2024 ;; MSG SIZE rcvd: 305 And given there's so many delegations and so many redirections, the result is inevitable... There's at least 4 queries that need to be done against disa.mil servers and if they all end up with timeout over IPv6, the whole query times out because it will run out of the time. gdcs.disa.mil IN NS apps.gdcs.disa.mil IN NS cds.disa.mil IN NS e1008.d.akamaiedge.akamai.csd.disa.mil. IN A Ondřej -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 17. 12. 2024, at 20:56, Clark, Roger <roc...@wm.edu> wrote: > > I have a user who is unsuccessfully trying to resolve ‘extranet.aro.army.mil’ > using our BIND resolvers. The query is failing with a 'shut down hung fetch > while resolving’ error message with some DNSSEC warning as well. The name > resolves without issue querying other external resolvers and also is > successful using dig +trace. I did notice there was an issue with an error > produced by one of the names in the CNAMe chain ( > https://gitlab.isc.org/isc-projects/bind9/-/issues/4797 ). > > Do I have something misconfigured or is there something wrong on the > authoritative side? > > Thank you! > > Roger > > Query: > # dig extranet.aro.army.mil @localhost > ;; communications error to 127.0.0.1#53: timed out > ;; communications error to 127.0.0.1#53: timed out > ;; communications error to 127.0.0.1#53: timed out > ;; communications error to 127.0.0.1#53: timed out > ;; communications error to 127.0.0.1#53: timed out > > ; <<>> DiG 9.18.32 <<>> extranet.aro.army.mil @localhost > ;; global options: +cmd > ;; no servers could be reached > > Logs: > 17-Dec-2024 16:05:59.558 client @0x7fae4b99e230 127.0.0.1#55089 > (extranet.aro.army.mil): query: extranet.aro.army.mil IN A +E(0)K (127.0.0.1) > 17-Dec-2024 16:06:00.518 validating gcds.disa.mil/SOA: got insecure > response; parent indicates it should be secure > 17-Dec-2024 16:06:00.518 validating gcds.disa.mil/SOA: got insecure > response; parent indicates it should be secure > 17-Dec-2024 16:06:00.518 validating apps.gcds.disa.mil/NS: no valid signature > found > 17-Dec-2024 16:06:00.594 validating apps.gcds.disa.mil/SOA: no valid > signature found > 17-Dec-2024 16:06:00.594 validating > Q3C76IBKTMFUF8PMSHSSCOPM8LOKJKK2.apps.gcds.disa.mil/NSEC3: no valid signature > found > 17-Dec-2024 16:06:00.642 validating apps.gcds.disa.mil/SOA: no valid > signature found > 17-Dec-2024 16:06:00.642 validating > LP2F0U0VHJI70GSV9KTM3KC7HQDJKD9R.apps.gcds.disa.mil/NSEC3: no valid signature > found > 17-Dec-2024 16:06:00.678 validating aro.army.mil.apps.gcds.disa.mil/CNAME: no > valid signature found > 17-Dec-2024 16:06:01.558 client @0x7fae4b97e220 127.0.0.1#39052 > (extranet.aro.army.mil): query: extranet.aro.army.mil IN A +E(0)K (127.0.0.1) > 17-Dec-2024 16:06:03.562 client @0x7fae4a551240 127.0.0.1#35234 > (extranet.aro.army.mil): query: extranet.aro.army.mil IN A +E(0)K (127.0.0.1) > 17-Dec-2024 16:06:05.566 client @0x7fae4a54f260 127.0.0.1#58021 > (extranet.aro.army.mil): query: extranet.aro.army.mil IN A +E(0)K (127.0.0.1) > 17-Dec-2024 16:06:07.566 client @0x7fae4a547290 127.0.0.1#52253 > (extranet.aro.army.mil): query: extranet.aro.army.mil IN A +E(0)K (127.0.0.1) > 17-Dec-2024 16:06:12.678 shut down hung fetch while resolving > 'aro.army.mil.edgekey.dmz.akamai.csd.disa.mil/A' > 17-Dec-2024 16:06:12.678 client @0x7fae4b99e230 127.0.0.1#55089 > (extranet.aro.army.mil): query failed (operation canceled) for > extranet.aro.army.mil/IN/A at query.c:7877 > 17-Dec-2024 16:06:12.678 client @0x7fae4b97e220 127.0.0.1#39052 > (extranet.aro.army.mil): query failed (operation canceled) for > extranet.aro.army.mil/IN/A at query.c:7877 > 17-Dec-2024 16:06:12.678 client @0x7fae4a551240 127.0.0.1#35234 > (extranet.aro.army.mil): query failed (operation canceled) for > extranet.aro.army.mil/IN/A at query.c:7877 > 17-Dec-2024 16:06:12.678 client @0x7fae4a54f260 127.0.0.1#58021 > (extranet.aro.army.mil): query failed (operation canceled) for > extranet.aro.army.mil/IN/A at query.c:7877 > 17-Dec-2024 16:06:12.678 client @0x7fae4a547290 127.0.0.1#52253 > (extranet.aro.army.mil): query failed (operation canceled) for > extranet.aro.army.mil/IN/A at query.c:7877 > > Trace: > > # dig +trace extranet.aro.army.mil @localhost > > ; <<>> DiG 9.18.32 <<>> +trace extranet.aro.army.mil @localhost > ;; global options: +cmd > . 518092 IN NS b.root-servers.net. > . 518092 IN NS g.root-servers.net. > . 518092 IN NS f.root-servers.net. > . 518092 IN NS k.root-servers.net. > . 518092 IN NS a.root-servers.net. > . 518092 IN NS d.root-servers.net. > . 518092 IN NS c.root-servers.net. > . 518092 IN NS m.root-servers.net. > . 518092 IN NS e.root-servers.net. > . 518092 IN NS i.root-servers.net. > . 518092 IN NS h.root-servers.net. > . 518092 IN NS j.root-servers.net. > . 518092 IN NS l.root-servers.net. > . 518092 IN RRSIG NS 8 0 518400 20241230050000 > 20241217040000 61050 . > rswM6OY8ylCNnmkfbUrdnNcTyPMuraztXrBbrrfTOO1M3vp9gCea+qj+ > FKEPxb/M7EwJYthquLPfOX+5nkV2ROBFwXrTBYS4Zg6zLC40lNwPFqdY > 9X2cYpfYW1ljr1LuW9bEyBYwCfZB8g7eg+v0nMyrX+uDLH2mneiwJhiZ > orJTZqVegiHMlX5jNe+btW7uJdAD+05MkI8CP8uD4ZElZ4ghjAG77aZB > DLD9Ra+SE4j/1ECrkWEwP543tlYq0mmLIDP3TDObTGFMy3qjjItQtM83 > NmCWD8OAFNbl28AaYMDREpMryZDaxPXNEYiAF3JDfTyM1otJqd7C9kjm 9gM/qg== > ;; Received 1137 bytes from 127.0.0.1#53(localhost) in 0 ms > > mil. 172800 IN NS con1.nipr.mil. > mil. 172800 IN NS pac2.nipr.mil. > mil. 172800 IN NS pac1.nipr.mil. > mil. 172800 IN NS eur2.nipr.mil. > mil. 172800 IN NS eur1.nipr.mil. > mil. 172800 IN NS con2.nipr.mil. > mil. 86400 IN DS 63500 8 2 > 3BAA83867103D6604A124282063F295E1B15C87CC13CB875A42F5754 A912EBE0 > mil. 86400 IN RRSIG DS 8 1 86400 20241230050000 > 20241217040000 61050 . > X2VVY9CekNpZhFq3x4ZIz8gI9nsCicqgJHzi1kEaRAW4hXzZGR+hAMNq > 58680WjNluI/zaWt6eOpfkt+8XNEMJfc5cK5dmnOCs6jv9Blkv4moe6O > 3Mr5F5Dm37m13Jw8pBIMJb2ylk1pzOsDQbWKjS+Ak3xXJH357YopmxVO > fXQ6Zmu6VCmbiA9rhtI5fX2wuwzhcI5gAn4ARCTFVDo5XM8JKwc3vHs9 > 9dtGZhJ2UZ9ryZk+ulxGabZ3czSWjof93zn9GHfKezUFeGOqEkdO3op/ > 9Oift8tpAM+IDdZFaFgI3VU+SJpwX+5BgavHILio8YtB5wXZ1z1Wfp3r iZw/kw== > ;; Received 802 bytes from 192.36.148.17#53(i.root-servers.net) in 44 ms > > ARMY.MIL. 21600 IN NS NS02.ARMY.MIL. > ARMY.MIL. 21600 IN NS NS01.ARMY.MIL. > ARMY.MIL. 21600 IN NS NS03.ARMY.MIL. > ARMY.MIL. 10800 IN DS 34552 8 1 > 2DFA605AE37365DC018249BC6E7FEB3EF55BAF85 > ARMY.MIL. 10800 IN DS 34552 8 2 > 77BF656C5361FF501D81AC4F7DAB185B5F8587AF0421283F7373956F 2DFA4543 > ARMY.MIL. 10800 IN RRSIG DS 8 2 10800 20241224000431 > 20241217000431 40843 mil. > oGdnWjQd0HT+UP0o7ct3fbY/Ur/bcxWX6sYflvIZnGy5VlpEB8TF1xQG > gtwtHUhfcPTHxUHIqnN+CDarvQTGSbfjCDOrHtYKt1kSSQD91Gz3efgP > 4G68ACiGH7SbMUOpDGIBQ/MWzibBPnE1biJchhPuMALfz9GO2qM2Sb5c IIw= > ;; Received 410 bytes from 199.252.154.234#53(eur1.nipr.mil) in 32 ms > > extranet.aro.army.mil. 3600 IN CNAME > aro.army.mil.apps.gcds.disa.mil. > extranet.aro.army.mil. 3600 IN RRSIG CNAME 8 4 3600 > 20241220162507 20241216162111 44331 aro.army.mil. > GQ8IGU9aMU6ZiVZrIAJJDv+kPU7YGYs66bpQiMtNw2VtoScz9uhhOs7M > Nns1t8uClwMhVVr/NE0cPh5yK7Y0p4AQQWJT3IY07b+5Jy5HFf0bwEWs > lBTjqvVOzaVdKXAW0SSTt8dd8phvIskmKDJDPeJx05HKd6cIExzvG1dG > M+krqrGsltBQANXByi5koLfUWaxLGzoC676kBM4MhxRHYOXaCzdhIf1K > VWaxLMptuhVke1pi8oMY/4FQREs8PEwRwPVRRD4lgMw6XshRpVuI9V65 > r+JxiGI/kiwm9Z9ckr6nBEkkry/0/5G4NtcgzfncADRxUrUvJ5NNvd/E rHnhWw== > aro.army.mil.apps.gcds.disa.mil. 3599 IN CNAME > aro.army.mil.edgekey.dmz.akamai.csd.disa.mil. > aro.army.mil.apps.gcds.disa.mil. 3599 IN RRSIG CNAME 8 7 3600 > 20250108200421 20241209200421 57303 apps.gcds.disa.mil. > Pw8WDBdIcSyZsOtYpuOw9/i2Bc4IfcPvel+/MU6GC7ekpS4ba7JZRv13 > 7se5C1VEOxQlKc+Z/yLY5EhfJfrlJg9QmIKXhRj9h2rzjsjoFljzp0PQ > joSo7J4eiWGCPi9TNLWMiC5A8Qj8JYYdOHC0RRFWUOjGQHeGPvStcUfj ROQ= > aro.army.mil.edgekey.dmz.akamai.csd.disa.mil. 179 IN CNAME > e1008.d.akamaiedge.akamai.csd.disa.mil. > e1008.d.akamaiedge.akamai.csd.disa.mil. 14 IN A 214.48.248.31 > ;; Received 669 bytes from 140.153.43.44#53(NS01.ARMY.MIL) in 80 ms > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
